ivan_poddubnyy at symantec
Nov 23, 2009, 5:57 PM
Post #1 of 1
(689 views)
Permalink
|
|
Need help with policy-based firewall (IOS 12.4T)
|
|
Hi,
I have two 2821 routers with policy-based firewall configured on them.
There's IPSec GRE tunnel configured between the routers.
The problem is traffic can't pass through the tunnel (even though the tunnel
is established). Here is message from the logs:
===========
Nov 23 17:36:43 10.0.80.252 24385: rtr02.sj: [syslog@9 s_sn="22618"
s_id="rtr02.sj:514" s_tc="1309483" s_dc="28318"]: 033999: .Nov 23
17:36:42.608 PST: %FW-6-DROP_PKT: Dropping Unknown-l4 session
207.211.80.190:0 143.127.138.34:0 on zone-pair sdm-zp-out-self class
class-default due to DROP action found in policy-map with ip ident 0
===========
Router-A has IP address 207.211.80.190
Router-B has IP address 143.127.138.34
At the same time, I see messages like this in the logs:
============
Nov 23 17:45:01 10.0.80.252 24410: rtr02.sj: [syslog@9 s_sn="22643"
s_id="rtr02.sj:514" s_tc="1309542" s_dc="28318"]: 034024: .Nov 23
17:45:00.681 PST: %FW-6-PASS_PKT: (target:class)-(sdm-zp-out-self:sdmgre)
Passing Unknown-l4 pkt 143.127.138.34:0 => 207.211.80.190:0 with ip ident 0
============
Now, parts of the config from router-A (router-B is a mirror image of
router-A):
-------------
rtr02.sj#show runn | sec zone
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
-------------
rtr02.sj#show runn | sec policy-map
policy-map type inspect sdm-permit
class type inspect sdmgre
pass log
class type inspect SDM_VPN
pass log
class type inspect sdmself
pass log
class class-default
drop log
-------------
rtr02.sj#show runn | sec class-map
class-map type inspect match-all sdmgre
match access-group 101
class-map type inspect match-all SDM_VPN
match access-group name SDM_VPN
-------------
rtr02.sj#show access-lists 101
Extended IP access list 101
10 permit ip host 143.127.138.34 any (1132063 matches)
20 permit gre host 143.127.138.34 any
30 permit esp host 143.127.138.34 any
40 permit ahp host 143.127.138.34 any
50 permit udp host 143.127.138.34 eq isakmp any
--------------
rtr02.sj#show access-lists SDM_VPN
Extended IP access list SDM_VPN
10 permit gre any any
20 permit ahp any any
30 permit esp any any
--------------
So, the DROP log message above is generated by this part of the config from
policy-map:
class class-default
drop log
At the same time, policy passes some traffic as can be seen from second log
message. And if I replace 'drop' with 'pass' in 'class-default' everything
works fine. For obvious reasons I don't want to do it.
My first question is, what is 'ip ident 0'?
My second question is, why router-A is skipping (for most part) ACLs 101 and
SDM_VPN and hitting 'class-default' when traffic is coming from router-B?
Any help is appreciated!
Thank you!
--ivan
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
